Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I troubleshoot errors when I copy encrypted Amazon EBS snapshots between AWS Regions and accounts?

5 minute read
3

I receive errors when I copy encrypted Amazon Elastic Block Store (Amazon EBS) snapshots between AWS Regions and AWS accounts.

Short description

When you copy Amazon EBS snapshots between Regions or accounts, you might receive errors for the following reasons:

  • The AWS Key Management Service (AWS KMS) key policy or AWS Identity and Access Management (IAM) policy is missing required permissions.
  • You encrypted the snapshot with the default aws/ebs AWS managed key that you can't share across accounts.
  • Amazon EBS can't access the AWS KMS key that encrypts the source snapshot.
  • The KMS key doesn't exist in the destination Region.
  • For Amazon Data Lifecycle Manager snapshot copies, the required role isn't in the KMS key policy.

Resolution

Configure KMS key policies for encrypted snapshots

To share an encrypted snapshot across accounts, you must configure permissions in the following policies:

  • The KMS key policy in the source account must grant access to the destination account.
  • An IAM policy in the destination account must grant its user or role the required AWS KMS permissions.

Note: To share snapshots that you encrypted with the default AWS managed key aws/ebs, copy the snapshot within the same Region, and then specify a customer managed key. If you don't already have one, then create a customer managed key.

To add the required permissions, complete the following steps:

  1. In the source account, update your KMS key policy to grant the following permissions to the destination account:
    kms:CreateGrant
    kms:Decrypt
    kms:DescribeKey
    kms:Encrypt
    kms:GenerateDataKey*
    kms:ReEncrypt*
  2. Share the snapshot with the destination account.
  3. In the destination account, add an IAM policy that grants the same AWS KMS permissions. Include the source key's Amazon Resource Name (ARN) in the policy.
  4. In the destination account, copy the snapshot with your KMS key.

Use a customer managed key

You receive the following error message:

"Encrypted snapshots with EBS default key cannot be shared"

You receive this error message because you can't share snapshots that you encrypted with the default aws/ebs AWS managed key across accounts.

To resolve this issue, use a customer managed key to encrypt the snapshot.

Complete the following steps:

  1. Create a customer managed key.
  2. Copy the snapshot within the same Region, and then specify your customer managed key.
  3. Share your customer managed key with the destination account. For more information, see the Configure KMS key policies for encrypted snapshots section of this article.

Add the required permission to the IAM role or user

You receive the following error message:

"Not authorized to perform: kms:CreateGrant"

You receive this error message when the IAM role or user doesn't have the kms:CreateGrant permission on the snapshot copy's KMS key.

To resolve this issue, add the kms:CreateGrant permission to the IAM entity's policy. Also, make sure that the IAM policy uses the full KMS key ARN and not an alias. For more information, see Share the KMS key used to encrypt a shared Amazon EBS snapshot.

Grant Amazon EBS access to the KMS key

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

You receive the following error message:

"Given key ID is not accessible"

You receive this error when Amazon EBS can't access the KMS key that you used to encrypt the source snapshot. The snapshot copy then enters the error state.

To check the snapshot copy state, run the following describe-snapshots AWS CLI command:

aws ec2 describe-snapshots --snapshot-ids snap-1234567890abcdef0

Note: Replace snap-1234567890abcdef0 with your snapshot copy ID.

To resolve this issue, check AWS CloudTrail logs for insufficient AWS KMS permissions errors. Identify the KMS key ARN and IAM role that's in the error.

Then, take the following actions:

  • If the KMS key policy or IAM permissions are missing, then complete the steps in the Configure KMS key policies for encrypted snapshots section.
  • For cross-account copies, confirm that the source KMS key policy includes the destination account ARN and grants it the required AWS KMS permissions. For cross-Region copies, verify that the key exists in the correct Region.
  • For Amazon Data Lifecycle Manager snapshot copies, add AWSDataLifecycleManagerDefaultRole to the KMS key policy, and then update the role's IAM policy with the required AWS KMS permissions that are listed in the Configure KMS key policies for encrypted snapshots section. For more information, see Control access to Amazon Data Lifecycle Manager using IAM.

If you already deactivated the KMS key, then reactivate it. If the key is pending deletion, then cancel the deletion.

Note: If you already deleted the KMS key, then you can't recover the data. You must create a new snapshot from the source volume, and then specify a new KMS key.

Related information

How do I share an encrypted Amazon EBS snapshot or volume with another AWS account?

Time-based copies for Amazon EBS snapshots and EBS-backed AMIs

Topics
Storage
Tags
Amazon Elastic Block Store
Language
English
AWS OFFICIALUpdated 14 days ago
No comments

Relevant content